Re: Determining how and why an object was updated.
From: Dave Slinn (dslinn_at_accesscomm.ca)
Date: 11/24/04
- Next message: Joe Kaplan \(MVP - ADSI\): "Re: Unable to bind with new ADAM accounts"
- Previous message: Everest25: "Re: Unable to bind with new ADAM accounts"
- In reply to: John Negus: "Re: Determining how and why an object was updated."
- Next in thread: John Negus: "Re: Determining how and why an object was updated."
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 24 Nov 2004 09:51:16 -0600
John - thanks for the reply - you have helped solve my problem.
I found the ActiveSDHolder object and sure enough - the ACL that it had was
exactly what the other user object ACL was getting reset to. I checked the
groups that this user belonged to, and then checked which groups those
groups belonged to, etc. etc. and found one that was a "more" priviledged
one. I removed that group from the user object in question, and the ACL on
that object nows retains my changes.
Whew - there's just too much to know with regards to Active Directory...
"John Negus" <jnegus@mask.msetechnology.com> wrote in message
news:OzlVAkQ0EHA.3376@TK2MSFTNGP12.phx.gbl...
> Hello David,
>
> By "Security Group permission that I add to a particular User keeps
> getting removed" do you mean delegate administrative permissions to a
> security group to a particular user object or do you mean adding a user
> to a group?
>
> If it is the first one, my next question would be is your user a member
> of a builtin administrative group?
>
> If so, there is a process called the AdminSDHolder Thread that runs
> every hour on the PDC Emulator FSMO role that compares the ACLs of
> security principles that are members of administrative groups with the
> ACL of the AdminSDHolder container located in the domain System
> container. If there is a difference the ACL of the Security Principle is
> reset to match that of the container. This is explained in the article
> below.
>
> http://support.microsoft.com/default.aspx?scid=kb;en-us;Q232199
>
> HTH
>
> --
> John Negus
> MSEtechnology
> --
>
>
>
> "David Slinn" <dslinn@accesscomm.ca> wrote in message
> news:%231DusCQ0EHA.1188@tk2msftngp13.phx.gbl...
> > Ok, here's the situation.
> >
> > We have two domain controllers. One of them (which we consider the
> > primary
> > and was the first domain controller on our network) has all five FSMO
> > roles.
> >
> > The second was setup just to maintain a second copy AD database. We
> > have a
> > relatively small network (about 100 users).
> >
> > Lately, a Security Group permission that I add to a particular User
> > keeps
> > getting removed. It's very perplexing. We shut down the second
> > server
> > altogether, thinking that the replication was not occurring correctly,
> > but
> > that has not fixed the problem.
> >
> > So, with the second server down (meaning we have only one running
> > Active
> > Directory domain controller right now), I changed the object by adding
> > back
> > the permission and then checked the Update Sequence Number. It was
> > set to
> > 401290 and the Last Change was accurate (6:00pm.). I checked back in
> > 1
> > hour, and the Update Sequence Number was now 401380 and the Last
> > Update was
> > 6:44pm. I re-added the permission back to the object, and checked
> > the USN:
> > 401505, Modified at 8:02pm. I will post back further if it gets
> > overwritten
> > again (which it probably will.)
> >
> > What could have updated this object, given that the only other Domain
> > Controller was not even turned on?
> >
> > Thanks,
> >
> > Dave Slinn
> >
> >
>
>
- Next message: Joe Kaplan \(MVP - ADSI\): "Re: Unable to bind with new ADAM accounts"
- Previous message: Everest25: "Re: Unable to bind with new ADAM accounts"
- In reply to: John Negus: "Re: Determining how and why an object was updated."
- Next in thread: John Negus: "Re: Determining how and why an object was updated."
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
